China alleges that Claude Code contains backdoors, calls mechanism 'a serious threat' — Gov't claims Claude sends sensitive information to remote servers without consent
TL;DR
China's National Vulnerability Database warned against Claude Code versions released between April and June 2026, calling a built-in monitoring mechanism a backdoor vulnerability. The agency claims the tool could send location and identity data to remote servers without user consent, and told users to uninstall it or update. Tom's Hardware says the issue appears tied to a China-detection mechanism that checked time zones and domains to flag Chinese users.
Nauti's Take
China's accusation is politically loaded, but that does not make it useless. Anthropic has a real abuse problem with resellers and distillation, yet a hidden country-detection check inside a developer tool crosses the wrong line.
If agents are allowed deep into repos, terminals and workflows, telemetry has to be brutally transparent. Otherwise governments write the headline, and developers everywhere draw the conclusion.
Briefingshow
This hits a sensitive point for coding agents: they run locally, see projects, shells, tokens and work patterns, yet still depend on cloud services. Even if Anthropic intended anti-abuse rather than espionage, the lesson is blunt: hidden telemetry in developer tools destroys trust faster than any PR statement can repair it.